The Information Commissioner’s Office (ICO) has fined Ticketmaster £1.25 million for failing to protect customer data.
The watchdog ruled that the ticket retailer failed to implement appropriate security practices to prevent a cyber-attack on a chat-bot installed on its online payment page.
In a statement, the ICO said Ticketmaster’s data protection failures constituted a breach of the General Data Protection Regulation (GDPR).
James Dipple-Johnstone, Deputy Commissioner said: “When customers handed over their personal details, they expected Ticketmaster to look after them. But they did not.
“Ticketmaster should have done more to reduce the risk of a cyber-attack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud.”
Up to 9.4 million Ticketmaster customers across Europe, including 1.5 million in the UK, were affected by the data breach.
User data was exposed beginning in 2018 following Ticketmaster’s decision to host a third-party chatbot on its online payment page. Security vulnerabilities meant that attackers were able to access customers’ financial details through the site.
Data exposed by the incident included customer names, payment card numbers, expiry dates and CVV numbers.
- British Airways fined £20 million for 2018 data breach failures
- ICO fines Marriott £18.4 million over major customer data breach
The ICO investigation revealed that, despite repeated warnings over fraudulent activity, Ticketmaster took nine weeks to identify and address the problem.
It also ruled that Ticketmaster failed to ‘adequately assess the risks’ of using a chatbot on its payment page and implement ‘appropriate security measures to negate the risks’.
60,000 payment cards belonging to Barclays customers were subjected to fraud as a result of the breach and Monzo Bank was forced to replace 6,000 cards as a precaution.
Although the breach began in February 2018, the penalty only relates to the breach from 25 May 2018, when new rules under GDPR came into effect.
The Ticketmaster fine marks the latest in a string of penalties imposed by the ICO in recent weeks.
Dipple-Johnstone said the latest fine stands as a warning to organisations that fail to protect customer data.
“The £1.25 million fine we’ve issued today will send a message to other organisations that looking after their customers’ personal details safely should be at the top of their agenda,” he said.
Chris Combemale, CEO of the Data & Marketing Association, commented: “This particular case sends a stark warning to organisations that GDPR compliance is both people and technology-driven.
“Within a month, the ICO has now issued several record-breaking fines in response to significant security failures by organisations who are responsible for the data of millions of customers.”